| Effective Date | July 1, 2025 | Policy Owner | Information Technology Services (ITS) |
|---|---|---|---|
| Last Reviewed Date | July 1, 2025 | Approved By | President's Council |
| Review Cycle | Annual | Policy Contact | Information Security & Compliance Analyst |
Policy Purpose
This policy establishes guidelines for the collection, use, and protection of personal mobile phone numbers and personal email addresses by New York Tech for the purpose of positively identifying end users in support of identity and access management (IAM) systems.
Policy Scope
This policy applies to all New York Tech students, faculty, staff, contractors, and guests who provide personal contact information for identity verification purposes.
Policy Statement
New York Tech may collect and use personal mobile phone numbers and personal email addresses to:
- Facilitate secure identity verification during account creation, password resets, and multi-factor authentication (MFA) processes.
- Communicate time-sensitive security alerts or identity-related notifications.
- Support lifecycle management of non-employee accounts, including sponsored guest access.
All use of personal contact information will comply with applicable federal, state and local laws and institutional policies, including the Telephone Consumer Protection Act, New York Tech's Acceptable Use, Data Security and Access Management, and Mobile Device policies.
Collection and Consent
When users provide their personal contact information, they are deemed to have consented to receiving SMS, voice, and email messages related to identity verification and authentication processes.
- Personal contact information is collected voluntarily during onboarding or account provisioning.
- Sponsors of non-employee accounts must input accurate contact details, including mobile numbers and email addresses, into the IAM platform.
Use and Disclosure
Personal contact information will be used for identity verification and authentication purposes, in addition to other institutionally approved use cases. It will not be shared with third parties except as required by law or institutional policy.
New York Tech may use this information to send verification codes, identity confirmation links, or security alerts via Short Message Service (SMS), voice call or email.
Data Protection and Retention
All personal contact data will be stored securely in accordance with New York Tech's Data Security and Access Management Policy.
Access to this data is restricted to authorized personnel within ITS and is subject to audit and review.
Data will be retained only as long as necessary to fulfill its identity verification purpose and will be deleted in accordance with New York Tech's Record Retention and Destruction Policy.
Responsibilities
ITS is responsible for implementing and maintaining systems that securely handle personal contact information. Users are responsible for keeping their contact information up to date and reporting any unauthorized use.
A2P 10DLC and Telephone Consumer Protection Act Compliance
To comply with A2P 10DLC requirements, New York Tech will adhere to the following guidelines:
- Opt-In/Opt-Out Instructions: Users will be informed of the opt-in conditions to receive identity verification messages during the onboarding process. Users can opt-out at any time by following the instructions provided in the messages or by contacting ITS.
- Message Frequency: Identity verification messages will be sent only as needed for authentication purposes, such as during account creation, password resets, and multi-factor authentication processes.
- Data Usage: Personal contact information will be used for identity verification and authentication purposes, in addition to other institutionally approved use cases. It will not be shared with third parties except as required by law or institutional policy.
- Privacy Assurances: New York Tech is committed to protecting the privacy of users' personal contact information. All data will be stored securely, and access will be restricted to authorized personnel within ITS. Data will be retained only as long as necessary and will be deleted in accordance with New York Tech's Record Retention and Destruction Policy.
Related Internal Policies
- Acceptable Use Policy
- Data Security and Access Management Policy
- Mobile Device Policy
- Record Retention and Destruction Policy (Requires Login)
Regulatory References
Violations
Violations of this policy may result in disciplinary action in accordance with New York Tech's Code of Conduct and applicable employment or academic policies.